Encryption
TLS 1.2+ in transit. Data encrypted at rest by the managed database. Secret columns (OAuth tokens, webhook secrets, recovery codes) are individually encrypted at the column layer and unreadable to the application's read role.
Trust
Lojycally secured by design.
Security, privacy, and compliance aren't a tab in this app — they are the architecture. Tenant isolation, signed evidence, and a tamper-proof audit ledger run by default, on every workspace, from day one.
ISO 27001SOC 2GDPRNIST / DORA
Maintained by Lojycal. This page describes controls we operate — it is not an independent third-party certification.
Controls
What's on by default.
These controls apply to every workspace on the platform. They are not premium add-ons, not opt-in, and not configurable away.
Access & MFA
Password sign-in requires a second factor via TOTP. Step-up to AAL2 is enforced before any privileged or governance surface loads. Recovery codes are hashed; one-time use only.
Audit logging
Every privileged action — role grants, break-glass, policy approvals, evidence exports — writes to a WORM ledger blocked from UPDATE and DELETE at the database trigger layer. Even the workspace owner cannot rewrite history.
Tenant isolation
Per-organisation Row-Level Security policies on every table that holds customer data. Cross-tenant access is denied by default and verified by nightly isolation tests.
Subprocessors
Data is processed inside the EU. The current subprocessor list is published in your workspace under Regional Compliance and changes are versioned in the audit log.
Incident response
Suspected security issues route to a dedicated mailbox, are triaged within one business day, and tracked to closure. Customer notification follows the timelines required by GDPR and contractual DPAs.
Contact
Responsible disclosure.
If you believe you've found a security or privacy issue, please report it to admin@lojycal.space. We acknowledge reports within one business day and ask that you give us a reasonable window to remediate before public disclosure. We will not pursue legal action against good-faith researchers who follow this process and avoid exfiltrating customer data, degrading the service, or accessing accounts that are not their own.
Ready to see it in your own workspace?
Spin up a workspace and the controls described above are running before you finish your coffee.